5101:12-1-20.2
Safeguarding of information from the internal revenue service and safeguarding visit procedures.

(A)
This rule describes the procedures an agency is
required to follow in order to safeguard information received from the internal
revenue service (IRS). The procedures for safeguarding federal tax information
(FTI) are based upon the tax information security guidelines described in IRS
publication 1075 (rev. 8/2010). IRS publication 1075 is available at
www.irs.gov. The safeguarding requirements of this rule apply to any
paper, electronic, or imaged record.

For purposes of this rule, an agency
includes a child support enforcement agency (CSEA), or any public or private
entity that has access to FTI.

(B)
Failure to
comply with the safeguarding requirements of this rule shall result in the
revocation of access to the support enforcement tracking system (SETS) or any
other computer application that contains information from the IRS, ohio
department of taxation (ODT), state parent locator service (SPLS), federal
parent locator service (FPLS), or unemployment compensation (UC).

(C)
For
purposes of this rule, FTI is defined as federal tax return information other
than information provided by the taxpayer, including but not limited to:

(4)
Identification of the payment source as an IRS tax
refund offset collection.

(D)
Each CSEA shall
complete and submit to the office of child support (OCS) within ODJFS a JFS
07072, "Safeguarding of Internal Revenue Service, Ohio Department of Taxation,
Federal Parent Locator Service, and Unemployment Compensation Information"
(rev. 2/2006) no later than the last day of March each year. The JFS 07072 must
be signed and dated by the director or administrator of the CSEA.

(1)
Submit to OCS a
completed and signed JFS 07014, "Tax Information Safeguarding Authorization
Agreement" (rev. 4/2008) for each agency employee who has access to FTI upon
the employment or re-employment of the employee and on an annual basis no later
than the last day of March thereafter.

(2)
Establish,
maintain, and make available to OCS or the IRS upon request, a permanent FTI
tracking system, utilizing one of the following methods:

(i)
The database
contains all of the same data elements as the JFS 07019; and

(ii)
The CSEA
submits the database to OCS for approval and OCS approves the database.

(3)
Establish and maintain a permanent system of
standardized records with regard to a request made by the agency for FTI from
the IRS, including the reason for the request, the date the request is made and
the date FTI is received, and the name of the agency employee(s) having access
to the information.

(4)
Store FTI during non-duty hours in accordance with the
secure storage and minimum protection standards described in IRS publication
1075.

(5)
Limit access to file keys and safe combinations to the
agency employee responsible for safeguarding FTI and a maximum of two
alternates who are permitted access to the FTI.

(6)
Limit access to
FTI to only the agency employees who are authorized to inspect and use the
information.

(7)
Follow the commingling standards described in IRS
publication 1075 by maintaining FTI obtained from the IRS either separately
from a file or within a file. When FTI is maintained within a file, the outside
jacket of the file shall have a label stating that the file contains FTI.

(8)
Ensure that mail received containing FTI, that is properly labeled as described
in paragraph (E)(10)(a) of this rule, is not opened before delivery to the
agency employee(s) responsible for safeguarding the information.

(9)
Ensure that computer stations are safeguarded utilizing appropriate methods,
including but not limited to:

(10)
Ensure that correspondence containing FTI is properly
transmitted in the following methods:

(a)
When sending the
correspondence by ordinary mail, the agency shall send the correspondence in a
double-sealed envelope with a label on the inner envelope that alerts the
recipient that the mail contains FTI;

(b)
When sending the
correspondence by electronic mail, the agency shall send the correspondence as
an attachment to the electronic message that is encrypted and password
protected. The text of the electronic message shall alert the recipient that
the attachment contains FTI; and

(c)
When sending the
correspondence by facsimile (i.e., fax), the agency shall:

(i)
Include a cover
sheet that alerts the fax recipient that the correspondence contains FTI and
indicate the name of the intended fax recipient;

(ii)
Verify that the
intended fax recipient is an authorized person; and

(iii)
Verify that
the intended fax recipient will be present at the fax machine to receive the
correspondence at the time the agency sends it.

(11)
Ensure that FTI is destroyed in accordance with the destruction methods
described in IRS publication 1075 when FTI is no longer needed by the
agency.

(12)
In accordance with a schedule that shall be
established by OCS, each CSEA with access to FTI shall, at the direction of
OCS, either participate in a safeguarding visit or complete a safeguarding self
inspection in accordance with paragraphs (F) and (G) of this rule at least once
every three years.

(13)
OCS shall complete a visit in accordance with
paragraph (F) of this rule at least once every eighteen months for internal
headquarters and facilities housing FTI.

In accordance with IRS publication
1075, OCS may conduct an FTI safeguarding visit (hereafter "visit") with each
agency that has access to FTI that is related to the child support program. The
purpose of the visit is to ensure that adequate FTI safeguards and security
measures are maintained by the agency.

(a)
OCS shall send to the agency an initial report
documenting the visit within fifteen business days from the date of the visit.
The initial report shall identify any FTI safeguarding vulnerabilities of the
agency that are discovered during the visit.

(b)
When the agency
receives the initial report from OCS and the initial report identifies any FTI
safeguarding vulnerabilities, the agency shall send to OCS a written response
that describes the actions the agency shall take to remedy the vulnerabilities,
including a timeline for completing the actions. The agency may also provide
additional information or clarify any identified vulnerabilities contained in
the initial report. The agency shall send the written response to OCS no later
than thirty days after the receipt of the initial report from OCS.

(c)
OCS
shall respond to the agency written response described in paragraph (F)(3)(b)
of this rule, indicating whether the actions proposed to remedy any
vulnerabilities meet the federal or state safeguarding regulations; OCS may
also request additional information from the agency. OCS shall send the final
report to the agency no later than forty-five days after issuing the initial
report.

In accordance with IRS publication
1075, OCS may require that a CSEA complete an FTI self-inspection of each
agency location that has access to FTI that is related to the child support
program. The purpose of the self-inspection is to ensure that adequate FTI
safeguards and security measures are maintained by the agency.

(a)
Within fifteen days of receipt of the completed
self-inspection report questionnaire, OCS shall notify the agency as to whether
additional information is required. Should additional information be required,
the agency shall submit the additional information within fifteen days of the
request for information. If no additional information is required, OCS shall
notify the agency that the self-inspection report questionnaire has been
accepted.

(b)
Should the CSEA fail to return the self-inspection
report questionnaire or respond to a request for additional information within
the required timeframe, OCS reserves the right to conduct an on-site inspection
in accordance with rule 5101:12-1-20.2 of the Administrative Code.

(H)
Agency reporting requirements for unauthorized access
to or inspection of FTI.

An agency shall comply with the
following requirements, in accordance with the FTI incident response and
incident reporting standards described in IRS publication 1075, including but
not limited to: